First run pfBlockerNG - false positive?

furom

Hi,

I just installed pfBlockerNG, and almost immediately my firewall caught my media player which tried to reach 10.10.10.1:443, which is the pfBlockerNG's DNSBL Webserver Virtual IP Address...

Destination seems to have been app-measurement.com Whatever that may be...

I probably get this wrong, but could this make sense?

• media player tried to go to app-measurement.com and pfBlockerNG caught that and wanted to dispose of the attempt
• but as I block anything I don't accept, it failed?

So what would the correct action here be? Should I allow anything to this Virtual IP (guess used as a a sinkhole?)?

Thanks

SteveITS

@furom the pfBlocker IP shows an error/info page for http (or a cert error for https). I believe you can turn that off and have it go nowhere if you want.

furom

@steveits said in First run pfBlockerNG - false positive?:

@furom the pfBlocker IP shows an error/info page for http (or a cert error for https). I believe you can turn that off and have it go nowhere if you want.

I actually got no such thing. I guess because I am not permitting the Vitual IP...? So should I let it connect to the virtual ip or not?

SteveITS

@furom Up to you, if you want users to see that warning page.

Gertjan

@furom said in First run pfBlockerNG - false positive?:

media player tried to go to app-measurement.com and pfBlockerNG caught that and wanted to dispose of the attempt

Exact.

Disable pfBlockerng, and then 'ask' what IPv4 'app-measurement.com' has.
You'll see, it exists.

When I ask what 'app-measurement.com' I get a solid :

[23.01-RELEASE][admin@pfSense.closetome.tld]/root: host app-measurement.com
app-measurement.com has address 0.0.0.0
Host app-measurement.com not found: 2(SERVFAIL)

This means that 'app-measurement.com' was on some list/feed that I let pfBlockerng use.

Btw 0.0.0.0 a dn not 10.10.10.1 because the virtual IP coupled with a web browser telling you that the site you try to visit just don't work.
Ok, it works ... but only for http:// visist, and who does http:// these day ? Nobody.
https:// visits with a web browser will show a browser depending page telling the browser user that a very complicated error has arrived. And certainly not the pfBlocker web server page telling the suer the URL/jhostname in question has been blocked;
So, my advise, select "0.0.0.0 = null logging" everywhere, don't bother using this one :

@furom said in First run pfBlockerNG - false positive?:

but as I block anything I don't accept, it failed?

You, and pfBlockerng, did nothing.
But you, as the admin, have added dnsbl feeds (or IP feeds) to pfBlockerng.
Hostnames (or IP's) in these feeds will get blocked.
Did you have a look at these lists ? ;)

furom

@gertjan said in First run pfBlockerNG - false positive?:

But you, as the admin, have added dnsbl feeds (or IP feeds) to pfBlockerng.
Hostnames (or IP's) in these feeds will get blocked.
Did you have a look at these lists ? ;)

Thank you for a nice and informative answer! I will try with the address you suggest, and no... I have not looked at the lists in detail, but looks like a good idea to get a better understandning of this... :)